Important: Type SET PRIV ON
before trying to access another users library members. This only has to be done once during each logged on session. This command can also be placed in your signon proc.
Setting up Security Groups For Roscoe Library Members
Security Group definitions govern how users may access one another's library members. The Security group a user belongs to is specified in their UPS profile.
Security Group definitions are stored in the member GROUPS under the UPS prefix. If the GROUPS member is not defined, all users have READ access to other members' library members. This allows any user to fetch SHARED library members but only the owner to change or update them.
A security group defines the read and write access permitted to:
- Users who are a member of the group
- Users from other groups
The member GROUPS may contain two types of definitions:
- A global default access definition
- If no individual group definitions exist, this definition controls the access for all users to other user's library members.
- If a user does not belong to a security group, this definition controls the access other users have to that user's library members.
- Individual group definitions.
There can be a maximum of 255 different security groups. Once the groups are defined, each user's profile should be updated to show the group to which he is assigned. Note that a user can be assigned to only one group.
Defining Groups
- Set up group definitions. Save them in the member UPS.GROUPS . See complete information in the System Reference Guide, Security Groups 4.8
- The global access definition must be specified first.
GBLACC=XXXX : Default Access
This may be set to:
NONE Only the owner has access to his library members.
EXEC Anyone can execute a library member containing an RPF program.
READ Anyone can execute or fetch a library member.
ALTER Anyone can execute, fetch or change the attributes of a library member.
UPDATE Anyone can execute, fetch, alter and change a library member. (UPDATE also permits anyone to save a member in anyone's library.)
DELETE
- Specify all the group definitions
Each group definition starts with the name of the group: GROUP xxxx
And ends with ENDGROUP (optional )
The following parameters (optional) may be specified for each group: (One of the values specified under the global access definition above must be specified.)
GRPACC= Specifies the type of access permitted to everyone else to the library members owned by the users in this group.
INTACC= Overrides the global access and, if specified, group access for users in this group.
XNONE= Name of one or more groups that are not allowed any type of access to library members owned by members of this group.
XEXEC= Name of one or more groups that are only allowed to execute RPF's contained in library members that are owned by members of this group.
XREAD= Name of one or more groups that are allowed to execute and fetch library members associated with this group.
XALTER= Name of one or more groups that are allowed to execute, fetch and alter the attributes of library members associated with this group.
XUPDATE= Name of one or more groups that are allowed to execute, fetch, alter and update library members associated with this group.
XDELETE= Name of one or more groups that are allowed to execute, fetch, alter, update and delete library members owned by members of this group.
ENDGROUP This keyword is used to mark the end of a group definition. If omitted, the next GROUP keyword or the end of the member terminates the current GROUP definition.
Here is an example:
GBLACC=EXEC : Default Access GROUP SYSTEM : Definitions for the SYSTEM group. GRPACC=NONE : General: No one can access any members. INTACC=DELETE : Within Group: Anyone can delete. ENDGROUP GROUP APPLIC : Definitions for the APPLIC group. GRPACC=READ : General: Anyone can fetch members. INTACC=UPDATE : Within Group: Anyone can update. XDELETE=SYSTEM : Exception: SYSTEM group has full access. ENDGROUP GROUP ACCTING : Definitions for the ACCTING group. INTACC=UPDATE : General: Default Access. ENDGROUP : Within Group: Anyone can update. GROUP WORDPROC : Definitions for the WORDPROC group. ENDGROUP : General & Within Group: Default access.
- Use the privileged command UPSVER to verify the syntax in the GROUPS member. The command syntax is:
UPSVER mem
where mem is the name of the library member containing the group definitions.
- Set the LIBACCES Roscoe startup parameter to LIBACCES=GROUP
- Update the LIBRARY SECURITY GROUP of each user profile to add the security group for each user.
- Recycle Roscoe. The new definitions will be available the next time CA Roscoe is brought up.
- If there is an error in the definitions, all users will be restricted to READ access